Attacks/Breaches

4/14/2017
09:28 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

The Long Slog To Getting Encryption Right

Encryption practices have improved dramatically over the last 10 years, but most organizations still don't have enterprise-wide crypto strategies.

While enterprises are making meaningful progress on improving their encryption practices, there's still a lot of work to go. Several major studies out in the last several months have underlined the highs and lows of encryption trends out in the real world.

On the plus side, the most recent research out this week from Ponemon Institute and Thales shows that the existence of enterprise-wide encryption strategies has more than doubled in the last decade and organizations are responding to cloud risks with improved encryption deployments for data at rest and in transit. On the negative side, this study and other industry numbers suggest that we haven't yet reached the tipping point of more than half of organizations following best practices--and that a sizeable number of organizations that use encryption are making big mistakes along the way.

“The accelerated growth of encryption strategies in business underscores the proliferation of mega breaches and cyberattacks, as well as the need to protect a broadening range of sensitive data types," says Dr. Larry Ponemon of Ponemon Institute. "Simply put, the stakes are too high for organizations to stand by and wait for an attack to happen to them before introducing a sophisticated data protection strategy."

This is the twelfth year running of the Global Encryption Trends Study and Ponemon has found that since 2006, the ratio of organizations with enterprise-wide encryption strategies has risen from under 20% to over 40%. It's a steady drumbeat of improvement, but the fact remains that the majority of organizations still don't have such a policy. Nevertheless, the steady tick upwards and additional survey data show that worries about data security regulations, protection of intellectual property, and protection of customer data are all driving gradual change for end-to-end encryption.

Certain areas are better than others when it comes to the current state of encryption deployment.

For example, with data at-rest Ponemon found that approximately 61% of organizations report that they routinely encrypt employee and HR data, 56% encrypt payment data, 49% encrypt financial records and 40% encrypt customer data. Meanwhile, a study out last week from Venafi highlighted prevalence of encryption of data-in-transit, with 57% of organizations reporting they encrypt 70% or more of their external web traffic and 41% doing the same for internal network traffic.

According to the Ponemon study, enterprises' focus on encryption and key management is being spurred on by increased cloud adoption as more data moves into third-party data centers. Approximately 67% of organizations report that they either perform encryption on premises prior to sending data to the cloud or encrypt data in the cloud using keys they generate and manage on premises. An additional 37% also report that they encrypt some cloud data using methods that turn complete control of keys and encryption processes to the cloud provider.  

This most recent study doesn't offer a fine point on how much data is going to the cloud completely unencrypted--but data out in 2016 from HyTrust showed that number to be pretty alarming. According to that study, about 28% of all data within all cloud workloads remain unencrypted. Even more troubling, a different 2016 study from Ponemon and Gemalto found that 76% of organizations don't encrypt or tokenize sensitive data sent to SaaS applications.  

A recent breach at Scottrade earlier this month highlights why a lack of encryption in the cloud is such a risk for enterprises. The online brokerage exposed loan applications for 20,000 customers after a third-party IT services provider uploaded information to the cloud without any encryption mechanisms in place.

"The data breach at Scottrade exemplifies the one-strike law for security in the cloud. In the public cloud, a single vulnerability, security or process lapse is all it takes to expose highly sensitive private data to the world and get datajacked," says Zohar Alon, CEO of Dome9. "Even with strict security controls in place, breaches such as this still occur due to very basic process failures."

Lapses like the one at Scottrade exemplify why it is important to not only encrypt sensitive data in the cloud, but also lock down policies for inventorying data whether in the cloud or on premises, for when and how it is encrypted, for how access is configured, and for how keys are managed.  

"It’s vitally important to encrypt sensitive data at-rest, but encryption alone isn’t sufficient. Even encrypted data is designed to be accessed by applications and authorized personnel," says Tim Erlin, vice president of product management and strategy for Tripwire. "Organizations have to protect the access methods, in addition to encryption, in order to protect data.”

With regard to key management, the study out this week from Ponemon shows that there's again steady improvement but lots of room to grow. Approximately 51% of organizations have a formal key management policy, but hardware security module (HSM) usage is still only at 38%. Of those, nearly half own and operate an HSM on-premises to support cloud deployments. On a positive note, nearly six in 10 of organizations that use HSMs say they have a centralized team that provides cryptography as a service across their entire organization.  

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JohnCorrigan
50%
50%
JohnCorrigan,
User Rank: Apprentice
5/2/2017 | 10:40:19 AM
Encryption growing in popularity
It's great to see the growing acceptance of encryption.  One of the most important trends is encryption for data in motion in the cloud and to mobile.  This is where information rights management solutions are coming to the fore.  If you are interested in learning about Information Rights Management see What is Information Rights Management

 
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12697
PUBLISHED: 2018-06-23
A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.
CVE-2018-12698
PUBLISHED: 2018-06-23
demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the "Create an array for saving the template argument values" XNEWVEC call. This can occur during execution of objdump.
CVE-2018-12699
PUBLISHED: 2018-06-23
finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
CVE-2018-12700
PUBLISHED: 2018-06-23
A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.
CVE-2018-11560
PUBLISHED: 2018-06-23
The webService binary on Insteon HD IP Camera White 2864-222 devices has a stack-based Buffer Overflow leading to Control-Flow Hijacking via a crafted usr key, as demonstrated by a long remoteIp parameter to cgi-bin/CGIProxy.fcgi on port 34100.